Cybersecurity staffing issues may be putting you at risk

Cybersecurity is a priority for most businesses, but many are finding a lack of available cybersecurity talent. But not being able to hire the right candidates is no excuse to ignore your security needs.

A study from Spiceworks found that even though 80 percent of organizations experienced a "security incident" in 2015, only 29 percent of companies have a cybersecurity expert working in their IT department and only 7 percent have a cybersecurity expert on their executive team. And a majority -- 55 percent to be exact - said that their business didn't have "regular access" to any IT security experts at all, internal or third-party, with the majority of companies also reporting they had no plans to hire or contract one within the next year.

Those numbers are surprising when you consider that data from IBM found that the average total cost of a data breach hovers around $4 million, with a price tag of around $154 per lost or stolen confidential file. Those numbers should ignite a spark under any business leader -- suggesting that employing a cybersecurity expert will save you money down the line. But while 73 percent of CIOs and senior IT leaders saying they view cybersecurity as a priority in 2016, only 56 percent of CTOs, 54 percent of CEOs and 30 percent of CMOs feel the same way.

"With each new breach and cybercriminal attack, more companies are realizing they're vulnerable, too. However, the cybersecurity skills gap is making it even harder for companies to quickly address cybersecurity problems. Organizations should start putting their cybersecurity special forces together now to create processes around IT security and tackle external threats," says John Hodges, vice president of Product Strategy at AvePoint.

Waiting on the cybersecurity graduates

One problem with finding cybersecurity professionals is that it's a relatively new skill that requires higher education and certifications. That leaves a gap between the time when the workforce identifies a need for this skill and when potential candidates can actually complete a relevant degree, obtain certifications and gain training or experience, according to Hodges.

For businesses that can't find cybersecurity talent or who can't wait for candidates to graduate from security programs, it might make sense to hire a third-party service. That's especially true for smaller businesses that might not be able to compete against larger corporations in the hiring war for security professionals says Judson Van Allen, director of recruiting of Strategic Staffing Services at CTG.

Hiring a third-party security provider can help alleviate some of the load on IT and get your business through the dry spell of cybersecurity candidates. In a few years, once more workers enter the job market with the right qualifications, you can start building up an internal team with outside talent.

A lack of internal training

Chances are you already have future security pros within your own ranks -- it would stand to reason that businesses have turned to internal talent to find cybersecurity experts. But, according to the data from Spiceworks, that's not necessarily the case. When asked how willing they would be to invest in IT training for 2016, 57 percent said they were "somewhat open, but it would take some convincing," while only 6 percent said they were "extremely open" and had already made investments in training.

"Smart people within your own ranks have the huge advantage of already knowing the context of the enterprise to be protected. By using in-house staff, you can save on the time it takes to teach them the context of the enterprise," says Ryan Hohimer, co-founder and CTO of DarkLight Cyber.

Beyond training your own IT pros in security, Hodges also recommends educating your employees, as they can often be one of the biggest in-house data risks. He suggests focusing on building a culture around security that includes emphasizing a "data privacy first" attitude, encouraging only collecting data that is necessary and ensuring they understand how to get rid of unneeded data.

"This can go a long way to supplementing the lack of in-house resources, because at the end of the day, cybersecurity is ultimately everyone's job," he says.

It might take some convincing to get the budgets in place to train internal workers -- but Apratim Purakayastha, CTO at Skillsoft, says it needs to be framed as an investment rather than a cost. By investing in training, you'll create an internal workforce that will help you avoid major profit losses in the event of a breach.

Cybersecurity is a full-time job

One caveat to training your own employees on cybersecurity is that you will need to accommodate for the fact that it will become a full-time job. You can't expect your IT pros to juggle networks, servers, hardware, software and cybersecurity. Cybersecurity professionals have to spend a lot of time figuring out every possible way someone could attack your business, says Van Allen.

"Simply put, everything is growing more complex. The threats are more complex, as are the networks attackers are attempting to breach and compromise," he says.

That means you need to give cybersecurity professionals the time, budget and resources they need to develop preventative strategies. You don't want to rely on strictly reactive solutions to security. Van Allen says this requires a "holistic view" of cybersecurity, especially since these types of threats are only going to grow more complex in coming years.

Mitigating cost

If you're dragging your feet on hiring a cybersecurity expert or training someone within your own ranks, you might be throwing money out the window. Hodges says that data breaches have simply become part of the cost of doing business, so they should be planned for and ultimately expected; and a great way to avoid spending millions on a security breach is to be prepared for one.

Purakayastha says that for IT leaders struggling to present the cost-benefit to executives, they might consider outlining the legal implications of cybersecurity when it isn't taken seriously. For example, there's a chance that if a business experiences a hack, depending on laws and compliance issues, they might need to prove that they did everything they could to prevent that attack. If the cost savings won't light a fire under the executive team, the legal implications of cybersecurity might, he says.

"Cybersecurity pros are a company's front line of defense against attacks and failing to have the proper staffing leaves your company open to attacks and the ramifications of attacks," he says.